$OpenBSD: patch-servers_slapd_schema_init_c,v 1.3 2013/06/17 19:30:22 ajacoutot Exp $

SECURITY FIX
Resolves CVE-2010-0211, CVE-2010-0212 (ITS#6570), and SA46599
from upstream

Also cure a crash in IA5StringNormalize() by sync'ing it with the same 
function from 2.4.23

--- servers/slapd/schema_init.c.orig	Thu Oct 27 10:02:29 2011
+++ servers/slapd/schema_init.c	Thu Oct 27 10:02:47 2011
@@ -1439,8 +1439,9 @@ UTF8StringNormalize(
 		? LDAP_UTF8_APPROX : 0;
 
 	val = UTF8bvnormalize( val, &tmp, flags, ctx );
+	/* out of memory or syntax error, the former is unlikely */
 	if( val == NULL ) {
-		return LDAP_OTHER;
+		return LDAP_INVALID_SYNTAX;
 	}
 	
 	/* collapse spaces (in place) */
@@ -1473,7 +1474,7 @@ UTF8StringNormalize(
 		}
 		nvalue.bv_val[nvalue.bv_len] = '\0';
 
-	} else {
+	} else if ( nvalue.bv_len )  {
 		/* string of all spaces is treated as one space */
 		nvalue.bv_val[0] = ' ';
 		nvalue.bv_val[1] = '\0';
@@ -2101,14 +2102,18 @@ IA5StringNormalize(
 	char *p, *q;
 	int casefold = !SLAP_MR_ASSOCIATED(mr, slap_schema.si_mr_caseExactIA5Match);
 
-	assert( SLAP_MR_IS_VALUE_OF_SYNTAX( use ));
+	assert( SLAP_MR_IS_VALUE_OF_SYNTAX( use ) != 0);
 
 	p = val->bv_val;
 
 	/* Ignore initial whitespace */
 	while ( ASCII_SPACE( *p ) ) p++;
 
-	normalized->bv_val = ber_strdup_x( p, ctx );
+	normalized->bv_len = val->bv_len - ( p - val->bv_val );
+	normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
+	AC_MEMCPY( normalized->bv_val, p, normalized->bv_len );
+	normalized->bv_val[normalized->bv_len] = '\0';
+
 	p = q = normalized->bv_val;
 
 	while ( *p ) {
@@ -2137,7 +2142,7 @@ IA5StringNormalize(
 	 * position.  One is enough because the above loop collapsed
 	 * all whitespace to a single space.
 	 */
-	if ( ASCII_SPACE( q[-1] ) ) --q;
+	if ( q > normalized->bv_val && ASCII_SPACE( q[-1] ) ) --q;
 
 	/* null terminate */
 	*q = '\0';
